Reducing Equational Theories for the Decision of Static Equivalence

Static equivalence is a well established notion of indistinguishability of sequences of terms which is useful in the symbolic analysis of cryptographic protocols. Static equivalence modulo equational theories allows for a more accurate representation of cryptographic primitives by modelling properties of operators by equational axioms. We develop a method that allows us in some cases to simplify the task of deciding static equivalence in a multi-sorted setting, by removing a symbol from the term signature and reducing the problem to several simpler equational theories. We illustrate our technique at hand of bilinear pairings.     

计算可靠且高效的群组密钥协商协议符号化分析方法

符号化分析方法将密码原语视为黑盒,且未研究其需要满足的具体安全属性,因而计算可靠性一直备受质疑.而且,这类方法在分析参与者数目较多的群组密钥协商协议时不具有高效性.针对上述两个问题,文中提出了一种计算可靠且高效的群组密钥协商协议符号化分析方法.该方法通过为符号化表达式设计一个Pattern函数,定义了模幂运算需要满足的具体安全属性,并基于此证明了符号化分析Burmester-Desmedt协议在通用可组合安全框架下是计算可靠的.进而通过数学归纳法,证明了Burmester-Desmedt协议的安全性与参与者数目无关,避免了参与者数目对符号化分析造成的影响,提高了符号化分析方法的效率.     

Limits of the BRSIM/UC soundness of Dolev–Yao-style XOR

The abstraction of cryptographic operations by term algebras, called Dolev–Yao models, is essential in almost all tool-supported methods for proving security protocols. Recently significant progress was made in proving that Dolev–Yao models can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of blackbox reactive simulatability (BRSIM)/UC, a notion that essentially means the preservation of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to the Dolev–Yao models and natural implementations. However, these results are so far restricted to core cryptographic systems like encryption and signatures. Typical modern tools and complexity results around Dolev–Yao models also allow operations with more algebraic properties, in particular XOR because of its clear structure and cryptographic usefulness. We show that it is not possible to extend the strong BRSIM/UC results to XOR, at least not with remotely the same generality and naturalness as for the core cryptographic systems. We also show that for every potential soundness result for XOR with secrecy implications, one significant change to typical Dolev–Yao models must be made. On the positive side, we show the soundness of a rather general Dolev–Yao model with XOR and its realization in the sense of BRSIM/UC under passive attacks. A preliminary version of this paper appeared in Proc. 10th European Symposium on Research in Computer Security [9]     

基于可信密码模块的SoC可信启动框架模型

为满足嵌入式终端对信息安全的要求,设计了基于可信密码模块的SoC可信启动框架。该框架的特点在于对引导程序U-boot做功能上的分割,且存储在不同的非易失性存储器中,并增设了通信模块,使之在操作系统启动之前就具有发送和接收文件的功能。将引导程序的各部分与操作系统核心文件均作为可信实体,发送至可信密码模块进行完整性度量,若度量成功则可信密码模块返回下一阶段的启动信号并在其本地存储器中保存可信实体;若度量失败则禁止启动。实验结果表明,该框架是可行、有效的,可以满足现今嵌入式终端在信息安全方面的需要。     

密码协议的一种安全模型

将密码协议与密码算法视为一个系统,建立了密码协议系统的一种安全模型.基于假设/保证的组合推理技术提出了新的假设/保证推理规则和假设/保证推理算法,证明了该规则的完备性,实现了密码协议系统的模型检查,并重点解决了系统分解问题、假设函数的设定问题、进程+逻辑的系统特性描述问题等难题.以kerberos密码协议系统为例,利用该安全模型和假设/保证推理技术对密码协议系统进行了安全验证.     

基于身份数字签名方案的通用可组合安全性

在通用可组合安全性框架下定义了基于身份的数字签名方案的通用可组合安全性。证明了基于身份数字签名方案的通用可组合安全性与传统的安全性——在选择消息和选择身份攻击下的不可存在性伪造——之间的等价性。这一结果表明基于身份的数字签名方案可以作为安全的密码原语用于构建更复杂的密码协议。     

Reducing Protocol Analysis with XOR to the XOR-Free Case in the Horn Theory Based Approach

In the Horn theory based approach for cryptographic protocol analysis, cryptographic protocols and (Dolev?CYao) intruders are modeled by Horn theories and security analysis boils down to solving the derivation problem for Horn theories. This approach and the tools based on this approach, including ProVerif, have been very successful in the automatic analysis of cryptographic protocols. However, dealing with the algebraic properties of operators, such as the exclusive OR (XOR), which are frequently used in cryptographic protocols has been problematic. In particular, ProVerif cannot deal with XOR. In this paper, we show how to reduce the derivation problem for Horn theories with XOR to the XOR-free case. Our reduction works for an expressive class of Horn theories. A large class of intruder capabilities and protocols that employ the XOR operator can be modeled by these theories. Our reduction allows us to carry out protocol analysis using tools, such as ProVerif, that cannot deal with XOR, but are very efficient in the XOR-free case. We implemented our reduction and, in combination with ProVerif, used it for the fully automatic analysis of several protocols that employ the XOR operator. Among others, our analysis revealed a new attack on an IBM security module.     

Abstraction and resolution modulo AC: How to verify Diffie–Hellman-like protocols automatically

We show how cryptographic protocols using Diffie–Hellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolution procedure for a class of flattened clauses modulo simple equational theories, including associativity–commutativity. We report on a practical implementation of this algorithm in the MOP modular platform for automated proving; in particular, we obtain the first fully automated proof of security of the IKA.1 initial key agreement protocol in the so-called pure eavesdropper model.     

密码协议形式化分析的计算合理性

基于Abadi-Rowgaway的形式化加密的计算合理性定理,提出和证明了密码协议形式化分析的计算合理性定理。通过对群密钥分配协议安全性的分析,说明定理对协议的可选择攻击具有较强的分析能力,提出了群密钥分配协议的形式化方法与计算方法下安全性的形式化定义,并证明了其合理性。     

密码协议形式化分析的计算合理性

基于Abadi-Rowgaway的形式化加密的计算合理性定理,论文提出和证明了密码协议形式化分析的计算合理性定理。通过对群密钥分配协议的分析,说明本文的定理对协议的可选择攻击具有较强的分析能力,论文提出了群密钥分配协议的形式化方法与计算方法下安全性的形式化定义,并证明了其合理性。     

Formal modeling of random oracle programmability and verification of signature unforgeability using task-PIOAs

The task-structured probabilistic I/O automata (task-PIOA) framework provides a method to formulate and to prove the computationally bounded security of non-sequential processing systems in a formal way. Formalizing non-sequential processes for strong adversaries is not easy. Actually, existing security analyses using the task-PIOA framework are for cryptographic protocols (e.g., the EGL oblivious transfer) only against simple adversaries (e.g., honest but curious adversary). For example, there is no case study for digital signature against strong active adversaries (i.e., EUF-CMA) in the task-PIOA framework. In this paper, we propose the first formalization of digital signature against EUF-CMA in the task-PIOA framework. To formalize the non-sequential process of EUF-CMA, we introduce a new technique for the iteration of an identical action in a single session. Using the task-PIOA framework allows us to verify security of signature schemes in the non-sequential scheduling manner. We show the validity and usefulness of our formulation by giving a formal security analysis of the FDH signature scheme. In order to prove the security, we also introduce a method to utilize the power of random oracles. As far as we know, this work is the first case study to clarify usefulness of random oracles in this framework.     

On the analysis of time-aware protocols in universal composability framework

We consider the analysis of time-aware cryptographic protocols in the universal composability (UC) framework (Canetti in 2000). The tasks we consider are the timeliness of messages within an instance as well as the time of validity of cryptographic credentials where the lifetime of time stamps overlaps lots of instances. We point out that the UC analysis of time-aware protocols with global access to real time clock cannot be carried out directly within the standard model. For the resolution of the corresponding problem, we considered two ways: one is the introduction of an auxiliary timing oracle into the ideal system, while the other consists of two time models: a quantized real time source and an abstract “random-time” source, and we show an essential equivalence between them. The time models provide not only theoretical but also practical benefits.     

A Calculus for Cryptographic Protocols: The Spi Calculus

We introduce the spi calculus, an extension of the pi calculus designed for describing and analyzing cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarse-grained notions of protocol equivalence.     

Algebra model and security analysis for cryptographic protocols

With the rapid growth of the Internet and the World Wide Web a large number of cryptographic protocols have been deployed in distributed systems for various application requirements, and security problems of distributed systems have become very important issues. There are some natural problems: does the protocol have the right properties as dictated by the requirements of the system? Is it still secure that multiple secure cryptographic protocols are concurrently executed? How shall we analy…     

Bisimilarity for the Region Calculus

A region calculus is a programming language calculus with explicit instrumentation for memory management. Every value is annotated with a region in which it is stored and regions are allocated and deallocated in a stack-like fashion. The annotations can be statically inferred by a type and effect system, making a region calculus suitable as an intermediate language for a compiler of statically typed programming languages.Although a lot of attention has been paid to type soundness properties of different flavors of region calculi, it seems that little effort has been made to develop a semantic framework. In this paper, we present a theory based on bisimulation, which serves as a coinductive proof principle for showing equivalences of polymorphically region-annotated terms. Our notion of bisimilarity is reminiscent of open bisimilarity for the -calculus and we prove it sound and complete with respect to Morris-style contextual equivalence.As an application, we formulate a syntactic equational theory, which is used elsewhere to prove the soundness of a specializer based on region inference. We use our bisimulation framework to show that the equational theory is sound with respect to contextual equivalence.     

UC安全性证明中模拟器构造方法研究

在UC模型(通用可组合安全分析模型)中密码协议安全性证明的难点是模拟器的构造,而目前模拟器的构造没有通用有效的方法可循,针对这一问题,提出了一种构造模拟器的通用有效的方法.研究了UC模型的构建原理,分析了UC安全性的本质要求,指出了符合UC安全性本质要求的模拟器存在条件以及模拟内容,在此基础上,阐述了构造模拟器的方法,并给出了该方法的正确性分析.为正确使用UC模型进行密码协议的UC安全性证明提供了切实可行的方法.     

后量子密码算法的侧信道攻击与防御综述

为解决量子计算对公钥密码安全的威胁,后量子密码成为密码领域的前沿焦点研究问题.后量子密码通过数学理论保证了算法安全性,但在具体实现和应用中易受侧信道攻击,这严重威胁到后量子密码的安全性.本文基于美国NIST第二轮候选算法和中国CACR公钥密码竞赛第二轮的候选算法,针对基于格、基于编码、基于哈希、基于多变量等多种后量子密码算法进行分类调研,分析其抗侧信道攻击的安全性现状和现有防护策略.为了深入分析后量子密码的侧信道攻击方法,按照算法核心算子和攻击类型进行分类,总结了针对各类后量子密码常用的攻击手段、攻击点及攻击评价指标.进一步,根据攻击类型和攻击点,梳理了现有防护策略及相应的开销代价.最后我们在总结部分,根据攻击方法、防护手段和防护代价提出了一些安全建议,并且还分析了未来潜在的侧信道攻击手段与防御方案.     

Are PCPs Inherent in Efficient Arguments?

Starting with Kilian (STOC ‘92), several works have shown how to use probabilistically checkable proofs (PCPs) and cryptographic primitives such as collision-resistant hashing to construct very efficient argument systems (a.k.a. computationally sound proofs), for example with polylogarithmic communication complexity. Ishai et al. (CCC ‘07) raised the question of whether PCPs are inherent in efficient arguments, and if so, to what extent. We give evidence that they are, by showing how to convert any argument system whose soundness is reducible to the security of some cryptographic primitive into a PCP system whose efficiency is related to that of the argument system and the reduction (under certain complexity assumptions).     

基于可搜索加密机制的数据库加密方案

近年来,数据外包的日益普及引发了数据泄露的问题,云服务器要确保存储的数据具有足够的安全性,为了解决这一问题,亟需设计一套高效可行的数据库加密方案,可搜索加密技术可较好地解决面向非结构文件的查询加密问题,但是仍未较好地应用在数据库中,因此,针对上述问题,提出基于可搜索加密机制的数据库加密方案.本文贡献如下:第一,构造完整的密态数据库查询框架,保证了数据的安全性且支持在加密的数据库上进行高效的查询;第二,提出了满足IND-CKA1安全的数据库加密方案,在支持多种查询语句的前提下,保证数据不会被泄露,同时在查询期间不会降低数据库中的密文的安全性;第三,本方案具有可移植性,可以适配目前主流的数据库如MySQL、PostgreSQL等,本文基于可搜索加密方案中安全索引的构建思想,利用非确定性加密方案和保序加密方案构建密态数据库安全索引结构,利用同态加密以及AES-CBC密码技术对数据库中的数据进行加密,实现丰富的SQL查询,包括等值查询、布尔查询、聚合查询、范围查询以及排序查询等,本方案较BlindSeer在功能性方面增加了聚合查询的支持,本方案改善了CryptDB方案执行完成SQL查询后产生相等性泄露和顺序泄露的安全性问题,既保证了数据库中密文的安全性,又保证了系统的可用性,最后,我们使用一个有10000条记录的Student表进行实验,验证了方案框架以及算法的有效性,同时,将本方案与同类方案进行功能和安全性比较,结果表明本方案在安全性和功能性之间取得了很好的平衡.